Commit Graph

62 Commits

Author SHA1 Message Date
Tim Spencer
8cc5fbf859 add login.gov provider (#55)
* first stab at login.gov provider

* fixing bugs now that I think I understand things better

* fixing up dependencies

* remove some debug stuff

* Fixing all dependencies to point at my fork

* forgot to hit save on the github rehome here

* adding options for setting keys and so on, use JWT workflow instead of PKCE

* forgot comma

* was too aggressive with search/replace

* need JWTKey to be byte array

* removed custom refresh stuff

* do our own custom jwt claim and store it in the normal session store

* golang json types are strange

* I have much to learn about golang

* fix time and signing key

* add http lib

* fixed claims up since we don't need custom claims

* add libs

* forgot ioutil

* forgot ioutil

* moved back to pusher location

* changed proxy github location back so that it builds externally, fixed up []byte stuff, removed client_secret if we are using login.gov

* update dependencies

* do JWTs properly

* finished oidc flow, fixed up tests to work better

* updated comments, added test that we set expiresOn properly

* got confused with header and post vs get

* clean up debug and test dir

* add login.gov to README, remove references to my repo

* forgot to remove un-needed code

* can use sample_key* instead of generating your own

* updated changelog

* apparently golint wants comments like this

* linter wants non-standard libs in a separate grouping

* Update options.go

Co-Authored-By: timothy-spencer <timothy.spencer@gsa.gov>

* Update options.go

Co-Authored-By: timothy-spencer <timothy.spencer@gsa.gov>

* remove sample_key, improve comments related to client-secret, fix changelog related to PR feedback

* github doesn't seem to do gofmt when merging.  :-)

* update CODEOWNERS

* check the nonce

* validate the JWT fully

* forgot to add pubjwk-url to README

* unexport the struct

* fix up the err masking that travis found

* update nonce comment by request of @JoelSpeed

* argh.  Thought I'd formatted the merge properly, but apparently not.

* fixed test to not fail if the query time was greater than zero
2019-03-20 13:44:51 +00:00
Aigars Mahinovs
7acec6243b Fall back to using OIDC Subject instead of Email
Email is not mandatory field, Subject is mandatory and expected to be unique. Might want to take a look at UserInfo first, however.

Issue: #56
2019-03-08 13:39:08 +01:00
Gabor Lekeny
eacba4ec7d Add id_token refresh to Google provider (#83) 2019-03-05 14:07:10 +00:00
Joel Speed
cac2c9728d
Validate OIDC Session State 2019-01-22 11:34:57 +00:00
Joel Speed
1b638f32ac
Implement refreshing within OIDC provider 2019-01-22 11:34:56 +00:00
Joel Speed
6aa35a9ecf
Update sessions state 2019-01-22 11:34:53 +00:00
Joel Speed
68d4164897
Add Authorization header flags 2019-01-22 11:34:23 +00:00
Joel Speed
e200bd5c20
Add comments to exported methods for providers package 2018-12-20 10:37:59 +00:00
Joel Speed
8ee802d4e5
Lint for non-comment linter errors 2018-11-29 14:26:41 +00:00
Joel Speed
847cf25228
Move imports from bitly to pusher 2018-11-27 11:45:05 +00:00
Daniel Lamando
542ef54093
Strip JWT base64 padding before parsing. #560 2018-03-08 16:44:11 -08:00
Mark Maglana
882fcf0a01 providers: iterate across all pages from /user/orgs github endpoint.
For some GHE instances where a user can have more than 100
organizations, traversing the other pages is important otherwise
oauth2_proxy will consider the user unauthorized. This change traverses
the list returned by the API to avoid that.

Update github provider tests to include this case.
2017-12-04 15:51:48 -05:00
Carlo Lobrano
731fa9f8e0 Github provider: use login as user
- Save both user and email in session state:
    Encoding/decoding methods save both email and user
    field in session state, for use cases when User is not derived from
    email's local-parth, like for GitHub provider.

    For retrocompatibility, if no user is obtained by the provider,
    (e.g. User is an empty string) the encoding/decoding methods fall back
    to the previous behavior and use the email's local-part

    Updated also related tests and added two more tests to show behavior
    when session contains a non-empty user value.

- Added first basic GitHub provider tests

- Added GetUserName method to Provider interface
    The new GetUserName method is intended to return the User
    value when this is not the email's local-part.

    Added also the default implementation to provider_default.go

- Added call to GetUserName in redeemCode

    the new GetUserName method is used in redeemCode
    to get SessionState User value.

    For backward compatibility, if GetUserName error is
    "not implemented", the error is ignored.

- Added GetUserName method and tests to github provider.
2017-11-20 20:02:27 +01:00
Tanvir Alam
a7c5d9c478
Merge pull request #421 from arnottcr/raw-url-encode
raw url encoding
2017-11-20 10:50:56 -05:00
Tanvir Alam
f2a995b8d9 providers: update gitlab api endpoint to use latest version, v4 2017-11-06 12:05:58 -05:00
Tanvir Alam
8a77cfcac3 Swap out bmizerany/assert package that is deprecated in favor of stretchr/testify/assert 2017-10-23 12:24:17 -04:00
Jehiah Czebotar
b7f9438b8a Merge pull request #473 from jmcarp/oidc-name
Add OpenID Connect provider name.
2017-10-13 09:10:44 -04:00
Joshua Carp
d118cb7bbb Drop deprecated MyUSA provider.
[Resolves #390]
2017-10-08 01:01:15 -04:00
Joshua Carp
34d96f8d84 Add OpenID Connect provider name. 2017-10-08 00:40:36 -04:00
Miouge1
a32ff08d68 Update test for default GitLab scope 2017-09-12 23:43:49 +02:00
Miouge1
982439a8d8 Reduce the default GitLab scope 2017-09-12 23:42:07 +02:00
Jehiah Czebotar
e87c3eee13 Merge pull request #389 from ericchiang/oidc-provider
*: add an OpenID Connect provider
2017-09-09 20:44:59 -04:00
Eric Chiang
cb48577ede *: add an OpenID Connect provider
See the README for usage with Dex or any other OIDC provider.

To test run a backend:

    python3 -m http.server

Run dex and modify the example config with the proxy callback:

    go get github.com/coreos/dex/cmd/dex
    cd $GOPATH/src/github.com/coreos/dex
    sed -i.bak \
      's|http://127.0.0.1:5555/callback|http://127.0.0.1:5555/oauth2/callback|g' \
       examples/config-dev.yaml
    make
    ./bin/dex serve examples/config-dev.yaml

Then run the oauth2_proxy

    oauth2_proxy \
      --oidc-issuer-url http://127.0.0.1:5556/dex \
      --upstream http://localhost:8000 \
      --client-id example-app \
      --client-secret ZXhhbXBsZS1hcHAtc2VjcmV0 \
      --cookie-secret foo \
      --email-domain '*' \
      --http-address http://127.0.0.1:5555 \
      --redirect-url http://127.0.0.1:5555/oauth2/callback \
      --cookie-secure=false

Login with the username/password "admin@example.com:password"
2017-09-08 09:32:51 -07:00
Colin Arnott
ba67e5c847
strip all log statements with the endpoint var 2017-07-13 18:33:48 +00:00
Colin Arnott
8d6e16bf22
use base64.RawURLEncoding.DecodeString() in place of a bespoke function 2017-07-13 18:29:58 +00:00
Colin Arnott
17b1fa31dd
use Authorization header, not access_token query parameter 2017-05-18 03:45:34 +00:00
Jehiah Czebotar
c5fc7baa86 gofmt 2017-03-29 09:36:38 -04:00
Colin Arnott
55085d9697 csrf protection; always set state 2017-03-29 09:31:10 -04:00
Jehiah Czebotar
cd0d13e3fb Merge pull request #357 from wrapp/skip-group-lookup-404
Skip 404 errors when looking up Google groups
2017-03-28 21:38:55 -04:00
Colin Arnott
289a6ccf46 add check for //.* to prevent open redirect during oauth 2017-03-28 21:12:33 -04:00
Eskil Andreen
652f43ed38 Skip 404 errors when looking up Google groups
When checking user membership against Google groups the groups are checked one
at a time and in the order that they were supplied. If one of the groups does
not exist then the checking is halted with the following error.

google.go:201: googleapi: Error 404: Resource Not Found: groupKey, notFound

None of the groups following the missing group are checked either. This means
that something as trivial as a typo in the first group will make it impossible
for anybody to login.

This change catches the 404, logs a message, and then carries on as usual. In
this way a typo will cause a particular group to stop working but will not
affect any other groups.
2017-03-28 16:06:15 +02:00
nickmiller-wf
c566648127 add stripParam and stripToken methods to obfuscate log output 2016-08-02 21:01:44 -06:00
Tomas Pramuka
5acf96b75d Getting mail for Azure provider fix + tests 2016-06-29 09:00:08 +02:00
Jehiah Czebotar
a0763477c5
Facebook Authentication Provider
* will not re-prompt if the email permission is denied, or if you previously authorized the same FB app without the email scope.
2016-06-23 08:43:21 -04:00
Jehiah Czebotar
bcb8064831
github: fix github enterprise support 2016-06-20 08:15:07 -04:00
Jehiah Czebotar
cdebfd6436
base64 cookie support 2016-06-20 07:45:43 -04:00
Jehiah Czebotar
293d674e14 Merge pull request #214 from raphink/github_multiple_teams
github provider: allow multiple teams
2016-02-17 17:24:50 -05:00
Raphaël Pinson
338e99773a github provider: allow multiple teams 2016-02-17 23:17:08 +01:00
pmosbach
034612bf8b Add GitLab provider 2016-02-17 06:19:52 -06:00
Jehiah Czebotar
36128e971f Merge pull request #197 from ruta-goomba/enterprise-github
use Github provider with GitHub enterprise
2016-02-06 13:24:48 -06:00
Ruta Sakalauskaite
a9cf8b3313 adding enterprise github provider
print the error stack trace

point to my fork in oauthproxy.go

addint pointers to ruta-goomba fork in mulitple files

change api endpoint

replace hard-coded github api endpoint with variables

resetting fall through github urls to point to github.com

fix malformed url

changes to enable use with enterprise github
2016-01-21 21:22:18 +00:00
Eelco Cramer
10f47e325b Add Azure Provider 2016-01-20 03:57:17 -05:00
Brandon Philips
51a2e4e48c *: rename Url to URL everywhere
Go coding style says that acronyms should be all lower or all upper. Fix
Url to URL.
2015-11-09 00:47:44 +01:00
Justin Burnham
3fd8f911c2 google: Support restricting access to a specific group(s) 2015-09-09 02:10:32 -07:00
Jehiah Czebotar
d1c0208824 Merge pull request #131 from ebardsley/master
Allow passing the value of "approval_prompt" as a flag or option.
2015-08-27 07:33:07 -04:00
铁哥
8da7325683 Update github.go 2015-08-26 00:11:24 +08:00
Ed Bardsley
33045a792b Add a flag to set the value of "approval_prompt".
By setting this to "force", certain providers, like Google,
will interject an additional prompt on every new session. With other values,
like "auto", this prompt is not forced upon the user.
2015-07-31 00:43:47 -07:00
Jehiah Czebotar
0692c3763f More robust handling for missing email 2015-07-24 16:26:40 -04:00
Jehiah Czebotar
c1bf1ad167 github: better debug output for org/team validation 2015-07-24 16:10:10 -04:00
Jehiah Czebotar
d49c3e167f SessionState refactoring; improve token renewal and cookie refresh
* New SessionState to consolidate email, access token and refresh token
* split ServeHttp into individual methods
* log on session renewal
* log on access token refresh
* refactor cookie encription/decription and session state serialization
2015-07-02 23:09:11 -04:00